[DSE-Dev] SELinux state for Bullseye

Russell Coker russell at coker.com.au
Mon Feb 8 01:24:27 GMT 2021 

On Monday, 8 February 2021 03:41:23 AEDT Christian Göttsche wrote:
> Dear SELinux maintainers,
> 
> As the freeze for Debian Bullseye approaches, I took a look at the
> SELinux related Debian packages.
> Most of the packages use debhelper compat level12, while level 13 is
> the recommend mode and e.g. uses 'dh_missing --fail-missing' by
> default.
> Also most packages are build without enabled build hardening flags,
> see https://wiki.debian.org/Hardening .
> Therefore I prepared several merge request on salsa.d.o:

Great work!

> src:libselinux
>     https://salsa.debian.org/selinux-team/libselinux/-/merge_requests/4
>     p.s.: the proposed fix for #979970 lgtm.

A comment refers to missing hardening flags, did you forget to change that or 
is something still missing?
 
> src:libsemanage
>     https://salsa.debian.org/selinux-team/libsemanage/-/merge_requests/5

-Architecture: linux-any
+Architecture: all

What's this for?

> src:libsepol
>     https://salsa.debian.org/selinux-team/libsepol/-/merge_requests/3

Again a comment refers to missing hardening flags.

> src:selinux-basics
>     https://salsa.debian.org/selinux-team/selinux-basics/-/merge_requests/1


         if grep -q selinux=1 $n ; then
           if ! grep -q security=selinux $n ; then
-            sed -e "s/selinux=1/selinux=1 security=selinux/" < $n > $n.new
+            sed -e "s/selinux=1/lsm=selinux/" < $n > $n.new
             mv $n.new $n
             update-grub
           fi

The above isn't what we need to do.

         if grep -q security=selinux $n ; then
           if ! grep -q lsm=selinux $n ; then
            sed -e "s/ \?selinux=1// -e \
               "s/security=selinux/security=selinux lsm=selinux/" < $n > 
$n.new
             mv $n.new $n
             update-grub
           fi

Something like the above (not tested) is what we need.

Also we need a matching patch for selinux-activate, I've attached something 
that might work.

Which kernel first supported lsm=selinux?  If the Buster kernel didn't support 
it then I'd like to keep using security=selinux for Bullseye as well as 
lsm=selinux (like we did when transitioning from selinux=1).

The rest were all great, would you like to build and upload?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: seliux-activate.diff
Type: text/x-patch
Size: 1197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/selinux-devel/attachments/20210208/ac46358b/attachment.bin>

More information about the SELinux-devel mailing list